Georgia Tech Research Institute (GTRI) is the applied research arm at the Georgia Institute of Technology. In 2013, GTRI was awarded $1.7 million to develop and demonstrate a Trustmark Framework for the Identity Ecosystem.

“So many trust frameworks exist today. As you can imagine, this can lead to trust frameworks or federation silos that don’t trust or interoperate with each other,” says John Wandelt, research fellow at GTRI and executive director of the National Identity Exchange Federation (NIEF). “We ran into this challenge firsthand with the NIEF, which started out as a collection of law enforcement agencies in the United States sharing sensitive information.”

The GTRI team took the view of a trust framework as a set of components that can be standardized for reuse in different business contexts. The first involved developing the trustmark framework. In year two, GTRI began piloting the framework in the NIEF. The project has been extended through April 2016.

“We are now working to roll out to mental health and substance abuse councils in Alabama to facilitate the sharing of information to support the continuity of care for prisoners reentering into society,” Wandelt says. “This is just one example where different communities of interest, operating under different rules, need to trust and interoperate.”

Outcomes

Developed a framework to facilitate greater trust and interoperability of trustmarks across the Identity Ecosystem

Crafted more than 60 unique trustmark definitions

Issued more than 90 trustmarks to NIEF organizations

Developed software tools for defining, assessing, managing and facilitating trustmarks

Lessons learned

“It works, with real agencies signing trustmark agreements with real transactions and trust decisions being made,” says Wandelt. “Getting the granularity and componentization right for reuse is important. Bridging strategies is important for adoption.

“With any new technology, on day one you need to figure a way to make it usable with the existing infrastructure and products that are deployed,” he explains. “We had to figure out how to use trustmark technology without requiring custom changes to existing products.”

Associated with each trustmark is a set of conformance criteria and assessment steps that must be satisfied prior to someone earning a trustmark, says Wandelt. “For example, in order to earn a particular privacy trustmark, you might have to demonstrate that you have implemented a privacy policy for minimizing the collection, use, and dissemination of user data,” he adds. “One of the challenges is that there is a lot of informal trust being leveraged among partners today, and formal policy documentation is weak or non-existent. So in order to be able to issue trustmarks, we often have to assist the trustmark recipients to get their house in order so they can legitimately earn them.”